KillProcess v2.20 and earlier - A malicious .exe file with a long FileDescription in version resource can generate a local exploitation of a buffer overflow and allows attackers to execute arbitrary code.
d4a52c6c52ff2884376c5af432ea24838c61930e713a1ae0b1407d325b1a4e59
VULNERABLE PRODUCT
------------------
Software: KillProcess
Platforms: Windows
Version: 2.20 and priors
Original advisorie: http://sbox.nightmail.ru
--------------------------
BACKGROUND
----------
This funny application can terminate any Windows process with the click of a button.
It can also prevent unwanted processes from ever executing by scanning the active
process list for unwanted processes and terminating them on sight.
Source: http://orangelampsoftware.com
DESCRIPTION
-------------
A malicious .exe file with a long FileDescription in version resource can generate
a local exploitation of a buffer overflow and allows attackers to execute arbitrary code.
PROOF OF CONCEPT
----------------
I've code a 2,78 Ko PoC.
FileDescription have been set to A x 544 bytes.
PoC is available here: http://sbox.nightmail.ru/KillProc_PoC.exe
There is another little bug, but not really dangerous.
If you add an application to killlist, then lunch it. Ok, boom ...
But if you start XX same process at the same time, all applications will not be killed.
ANALYSIS
--------
Exploitation of the described vulnerability allows attackers to
execute arbitrary code under the context of the user who started KillProcess.
VENDOR STATUS
-------------
Vendor have been contacted.
Thanks
------
Greet's fly out to ATmaCA. This idea was first credit by Kozan.
It was on Jul 20 2005, for another software, so thanks to him ;)
CREDiTS
----------------------
SecuBox Labs - fRoGGz
web: secubox.teria.org
--------------------------
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed